<!DOCTYPE html>
<html lang="zh-CN">





<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/apple-touch-icon.png">
  <link rel="icon" type="image/png" href="/img/favicon.png">
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="description" content="安全行业从业者，主要方向PC逆向附带安卓和Linux逆向，时不时喜欢写点BUG代码">
  <meta name="author" content="Cray">
  <meta name="keywords" content="">
  <title>Flare_on_2017_writeup(持续更新) ~ 逆向安全博客</title>

  <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/5.12.1/css/all.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/css/bootstrap.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/mdbootstrap/4.13.0/css/mdb.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/github-markdown-css/3.0.1/github-markdown.min.css"  >

<link rel="stylesheet" href="//at.alicdn.com/t/font_1067060_qzomjdt8bmp.css">



  <link rel="stylesheet" href="/lib/prettify/tomorrow.min.css"  >

<link rel="stylesheet" href="/css/main.css"  >


  <link rel="stylesheet" href="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.css"  >


<meta name="generator" content="Hexo 5.2.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">


    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/">首页</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/archives/">归档</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/tags/">标签</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/links/">友链</a>
          </li>
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" data-toggle="modal" data-target="#modalSearch">&nbsp;&nbsp;<i
                class="iconfont icon-search"></i>&nbsp;&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="view intro-2" id="background" false
      style="background: url('https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201117192034382.png') no-repeat center center;
      background-size: cover;">
    
        <div class="full-bg-img">
        <div class="mask rgba-black-light flex-center">
          <div class="container text-center white-text fadeInUp">
            <span class="h2" id="subtitle">
              
                Flare_on_2017_writeup(持续更新)
              
            </span>

            
              <br>
              

              <p>
                
                  
                  &nbsp;<i class="far fa-chart-bar"></i>
                  <span class="post-count">
                    1.4k 字
                  </span>&nbsp;
                

                
                  
                  &nbsp;<i class="far fa-clock"></i>
                  <span class="post-count">
                      6 分钟
                  </span>&nbsp;
                

                
                  <!-- 不蒜子统计文章PV -->
                  
                  &nbsp;<i class="far fa-eye" aria-hidden="true"></i>&nbsp;
                  <span id="busuanzi_container_page_pv">
                    <span id="busuanzi_value_page_pv"></span> 次
                  </span>&nbsp;
                
              </p>
            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid">
  <div class="row">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-md">
      <div class="py-5 z-depth-3" id="board">
        <div class="post-content mx-auto" id="post">
          <div class="markdown-body">
            <h3 id="说明"><a href="#说明" class="headerlink" title="说明"></a>说明</h3><p>来源<a target="_blank" rel="noopener" href="https://www.fireeye.com/blog/threat-research/2017/10/2017-flare-on-challenge-solutions.html">https://www.fireeye.com/blog/threat-research/2017/10/2017-flare-on-challenge-solutions.html</a></p>
<p>号称逆向界的扛把子比赛，必须得碰一碰，有时间就更新</p>
<h3 id="1"><a href="#1" class="headerlink" title="1"></a>1</h3><p>看到是ROT，其实可以不用逆算法，直接加一行，计算即可</p>
<p>修改后代码如下</p>
<pre><code class="html">&lt;!DOCTYPE Html /&gt;
&lt;html&gt;
    &lt;head&gt;
        &lt;title&gt;FLARE On 2017&lt;/title&gt;
    &lt;/head&gt;
    &lt;body&gt;
        &lt;input type=&quot;text&quot; name=&quot;flag&quot; id=&quot;flag&quot; value=&quot;Enter the flag&quot; /&gt;
        &lt;input type=&quot;button&quot; id=&quot;prompt&quot; value=&quot;Click to check the flag&quot; /&gt;
        &lt;script type=&quot;text/javascript&quot;&gt;
            document.getElementById(&quot;prompt&quot;).onclick = function () &#123;
                var flag = document.getElementById(&quot;flag&quot;).value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c)&#123;return String.fromCharCode((c &lt;= &quot;Z&quot; ? 90 : 122) &gt;= (c = c.charCodeAt(0) + 13) ? c : c - 26);&#125;);
                alert(rotFlag);
                if (&quot;PyvragFvqrYbtvafNerRnfl@syner-ba.pbz&quot; == rotFlag) &#123;
                    alert(&quot;Correct flag!&quot;);
                &#125; else &#123;
                    alert(&quot;Incorrect flag, rot again&quot;);
                &#125;
            &#125;
        &lt;/script&gt;
    &lt;/body&gt;
&lt;/html&gt;
</code></pre>
<p>输入<code>PyvragFvqrYbtvafNerRnfl@syner-ba.pbz</code>就能打印出flag</p>
<h6 id="flag-ClientSideLoginsAreEasy-flare-on-com"><a href="#flag-ClientSideLoginsAreEasy-flare-on-com" class="headerlink" title="flag:ClientSideLoginsAreEasy@flare-on.com"></a>flag:<code>ClientSideLoginsAreEasy@flare-on.com</code></h6><h3 id="2"><a href="#2" class="headerlink" title="2"></a>2</h3><p>这题的获取输入输出比较经典</p>
<p>使用<code>GetStdHandle</code>来直接操作IO管道</p>
<p>如果是输出就使用</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools//image-20201009173859724.png" srcset="/img/loading.gif" alt="image-20201009173859724"></p>
<p>输入就，不用导入</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201009173934780.png" srcset="/img/loading.gif" alt="image-20201009173934780"></p>
<p>本题关键处理如下，主要是一个XOR</p>
<p><img src="Z:\2020笔记\Flare-2017\image-20201009173652498.png" srcset="/img/loading.gif" alt="image-20201009173652498"></p>
<p>解题脚本如下</p>
<pre><code class="python">stand = [0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69, 0x00]
key = 0x04
for i in range(len(stand)-1,-1,-1):
    key = stand[i]^key
    stand[i] = key

for k in stand:
    print(chr(k),end=&quot;&quot;) 
</code></pre>
<h6 id="flag-R-y0u-H0t-3n0ugH-t0-1gn1t3-flare-on-com"><a href="#flag-R-y0u-H0t-3n0ugH-t0-1gn1t3-flare-on-com" class="headerlink" title="flag:R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com"></a>flag:<code>R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com</code></h6><h3 id="3"><a href="#3" class="headerlink" title="3"></a>3</h3><p>本题原理不难理解，总的一句话就是<strong>输入一个密钥去解密一段代码，这段代码就是flag生成的代码</strong></p>
<p>主要有代码解密算法,对[40107c，40107c+0x79]范围代码进行修改</p>
<pre><code class="C"> v2 = &amp;loc_40107C;
 v3 = buf;
 do
 &#123;
 *v2 = (v3 ^ *v2) + 0x22;
 ++v2;
 &#125;
 while ( (signed int)v2 &lt; (signed int)&amp;loc_40107C + 0x79 );</code></pre>
<p>修改后会有一个CheckSum函数（0x4011e6）校验<code>[40107c，40107c+0x79]</code>的hash是否等于<code>0xFB5E</code></p>
<pre><code class="C">text:00401036                 mov     dl, [ebp+buf] ;输入保存在buf中，dl为输入低8位，也就是第一个字符
text:00401039                 mov     bl, [eax]
text:0040103B                 xor     bl, dl
text:0040103D                 add     bl, 22h 
text:00401040                 mov     [eax], bl</code></pre>
<p>一共就255中可能，直接爆破，但是要模拟这段代码，需要进行指令模拟，本来准备使用angr，但是基本功不过关，没能拿到最后的值</p>
<p>这里使用官方的解法，使用unicorn来模拟CheckSum代码计算校验和，具体代码如下</p>
<pre><code class="python">import binascii
import struct
from unicorn import *
from unicorn.x86_const import *
from capstone import *

#python3要使用这种格式
CHECKSUM_CODE = b&quot;\x55\x8B\xEC\x51\x8B\x55\x0C\xB9\xFF\x00\x00\x00\x89\x4D\xFC\x85\xD2\x74\x51\x53\x8B\x5D\x08\x56\x57\x6A\x14\x58\x66\x8B\x7D\xFC\x3B\xD0\x8B\xF2\x0F\x47\xF0\x2B\xD6\x0F\xB6\x03\x66\x03\xF8\x66\x89\x7D\xFC\x03\x4D\xFC\x43\x83\xEE\x01\x75\xED\x0F\xB6\x45\xFC\x66\xC1\xEF\x08\x66\x03\xC7\x0F\xB7\xC0\x89\x45\xFC\x0F\xB6\xC1\x66\xC1\xE9\x08\x66\x03\xC1\x0F\xB7\xC8\x6A\x14\x58\x85\xD2\x75\xBB\x5F\x5E\x5B\x0F\xB6\x55\xFC\x8B\xC1\xC1\xE1\x08\x25\x00\xFF\x00\x00\x03\xC1\x66\x8B\x4D\xFC\x66\xC1\xE9\x08\x66\x03\xD1\x66\x0B\xC2&quot;
ENCODED_BYTES = b&quot;\x33\xE1\xC4\x99\x11\x06\x81\x16\xF0\x32\x9F\xC4\x91\x17\x06\x81\x14\xF0\x06\x81\x15\xF1\xC4\x91\x1A\x06\x81\x1B\xE2\x06\x81\x18\xF2\x06\x81\x19\xF1\x06\x81\x1E\xF0\xC4\x99\x1F\xC4\x91\x1C\x06\x81\x1D\xE6\x06\x81\x62\xEF\x06\x81\x63\xF2\x06\x81\x60\xE3\xC4\x99\x61\x06\x81\x66\xBC\x06\x81\x67\xE6\x06\x81\x64\xE8\x06\x81\x65\x9D\x06\x81\x6A\xF2\xC4\x99\x6B\x06\x81\x68\xA9\x06\x81\x69\xEF\x06\x81\x6E\xEE\x06\x81\x6F\xAE\x06\x81\x6C\xE3\x06\x81\x6D\xEF\x06\x81\x72\xE9\x06\x81\x73\x7C&quot; 

def decode_bytes(i):
    decoded_bytes = b&quot;&quot;
    for byte in ENCODED_BYTES:
        decoded_bytes += chr(((ord(byte) ^ i) + 0x22) &amp; 0xFF)
    return decoded_bytes

def emulate_checksum(decoded_bytes):
    address = 0x400000
    stack_addr = 0x410000
    dec_bytes_addr = 0x420000

    mu = Uc(UC_ARCH_X86, UC_MODE_32)
    mu.mem_map(address, 2 * 1024 * 1024)
    mu.mem_write(address, CHECKSUM_CODE)
    mu.mem_write(dec_bytes_addr, decoded_bytes)

    #初始化堆栈，CHECKSUM_CODE代码中需要用到
    mu.reg_write(UC_X86_REG_ESP, stack_addr)
    mu.mem_write(stack_addr + 4, struct.pack(&#39;&lt;I&#39;, dec_bytes_addr))
    mu.mem_write(stack_addr + 8, struct.pack(&#39;&lt;I&#39;, 0x79))

    mu.emu_start(address, address + len(CHECKSUM_CODE))
    checksum = mu.reg_read(UC_X86_REG_AX)
    return checksum

for i in range(0, 256):
    decoded_bytes = decode_bytes(i)
    checksum = emulate_checksum(decoded_bytes)
    if checksum == 0xFB5E:
        print (&#39;Checksum matched with byte %X&#39; % i)
        print (&#39;Decoded bytes disassembly:&#39;)
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        for j in md.disasm(decoded_bytes, 0x40107C):
            print (&quot;0x%x:\t%s\t%s&quot; % (j.address, j.mnemonic, j.op_str))
        break
</code></pre>
<p>最后计算出一段代码，调试即可得到flag</p>
<h6 id="flag-et-tu-brute-force-flare-on-com"><a href="#flag-et-tu-brute-force-flare-on-com" class="headerlink" title="flag:et_tu_brute_force@flare-on.com"></a>flag:<code>et_tu_brute_force@flare-on.com</code></h6><h3 id="4"><a href="#4" class="headerlink" title="4"></a>4</h3><p>本地文件天擎报毒，VT一查40多家毒，拿到虚拟机运行，没发现什么问题。静态IDA可以发现入口点被改了</p>
<p>基本可以确定是感染性木马，一步一步跟，API调用基本都是延迟导入，功能也很简单，感染指定目录下的文件</p>
<p>我这里是<code>C:\Users\sam\flareon2016challenge</code>逻辑上是会去判断时间戳。时间戳信息如下</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201010211636401.png" srcset="/img/loading.gif" alt="image-20201010211636401"></p>
<p>主要的判断解密逻辑在<code>sub_1014670</code>中</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201010211737873.png" srcset="/img/loading.gif" alt="image-20201010211737873"></p>
<p>这个密钥来自上面中的四个不同时间戳的文件</p>
<p>偏移分别为0x400,0x4010,0x4020,0x4030 的前8个字节，凑成一个密钥来解密</p>
<p>本题只给了一个文件，有点脑洞，文件名提示是2016的flare-on的几个文件，所以去找2016年的题中的文件来对比</p>
<p>这里还有个技巧，要按照顺序放入然后执行，不然会导致密钥对顺序不对，这里的顺序是</p>
<p>challenge1.exe、DudeLocker.exe、khaki.exe、unknown</p>
<p>Key.bin</p>
<pre><code class="c">55 8B EC 8B 4D 0C 56 57 8B 55 08 52 FF 15 30 20
C0 40 50 FF D6 83 C4 08 00 83 C4 08 5D C3 CC CC</code></pre>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/VM_tools/image-20201010211426771.png" srcset="/img/loading.gif" alt="image-20201010211426771"></p>

            <hr>
          </div>
          <br>
          <div>
            <p>
            
            
              <span>
                <i class="iconfont icon-tag"></i>
                
                  <a class="hover-with-bg" href="/tags/CTF/">CTF</a>
                
              </span>
            
            </p>
            
              <p class="note note-warning">本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://zh.wikipedia.org/wiki/Wikipedia:CC_BY-SA_3.0%E5%8D%8F%E8%AE%AE%E6%96%87%E6%9C%AC" rel="nofollow noopener noopener">CC BY-SA 3.0协议</a> 。转载请注明出处！</p>
            
          </div>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container">
        <div id="toc">
  <p class="h5"><i class="far fa-list-alt"></i>&nbsp;目录</p>
  <div id="tocbot"></div>
</div>
      </div>
    
  </div>
</div>

<!-- custom -->


<!-- Comments -->
<div class="col-lg-7 mx-auto nopadding-md">
  <div class="container comments mx-auto" id="comments">
    
      <br><br>
      
      
  <div class="disqus" style="width:100%">
    <div id="disqus_thread"></div>
    <script>
      var disqus_config = function () {
        this.page.url = 'http://cve.gitee.io/cve/2020/09/25/Flare-2017/';
        this.page.identifier = '/2020/09/25/Flare-2017/';
      };
      var oldLoad = window.onload;
      window.onload = function () {
        var d = document, s = d.createElement('script');
        s.type = 'text/javascript';
        s.src = '//' + 'crayon-1' + '.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
      };
    </script>
    <noscript>Please enable JavaScript to view the <a target="_blank" href="https://disqus.com/?ref_noscript" rel="nofollow noopener noopener">comments
        powered by Disqus.</a></noscript>
  </div>


    
  </div>
</div>

    
  </main>

  
    <a class="z-depth-1" id="scroll-top-button" href="#" role="button">
      <i class="fa fa-chevron-up scroll-top-arrow" aria-hidden="true"></i>
    </a>
  

  
    <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
  

  <footer class="mt-5">
  <div class="text-center py-3">
    <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><b>Hexo</b></a>
    <i class="iconfont icon-love"></i>
    <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"> <b>Fluid</b></a>
    <br>

    
  
    <!-- 不蒜子统计PV -->
    
    &nbsp;<span id="busuanzi_container_site_pv"></span>总访问量 
          <span id="busuanzi_value_site_pv"></span> 次&nbsp;
  
  
    <!-- 不蒜子统计UV -->
    
    &nbsp;<span id="busuanzi_container_site_uv"></span>总访客数 
            <span id="busuanzi_value_site_uv"></span> 人&nbsp;
  
  <br>



    


    <!-- cnzz Analytics icon -->
    

  </div>
</footer>

<!-- SCRIPTS -->
<script src="https://cdn.staticfile.org/jquery/3.4.1/jquery.min.js" ></script>
<script src="https://cdn.staticfile.org/popper.js/1.16.1/umd/popper.min.js" ></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/js/bootstrap.min.js" ></script>
<script src="https://cdn.staticfile.org/mdbootstrap/4.13.0/js/mdb.min.js" ></script>
<script src="/js/main.js" ></script>


  <script src="/js/lazyload.js" ></script>



  
  <script src="https://cdn.staticfile.org/tocbot/4.10.0/tocbot.min.js" ></script>
  <script>
    $(document).ready(function () {
      var navHeight = $('#navbar').height();
      var toc = $('#toc');
      var main = $('main');
      var tocT = navHeight + (toc.offset().top - main.offset().top);
      var tocLimMin = main.offset().top - navHeight;
      var tocLimMax = $('#comments').offset().top - navHeight;
      $(window).scroll(function () {
        var scroH = document.body.scrollTop + document.documentElement.scrollTop;
        if (tocLimMin <= scroH && scroH <= tocLimMax) {
          toc.css({
            'display': 'block',
            'position': 'fixed',
            'top': tocT,
          });
        } else if (scroH <= tocLimMin) {
          toc.css({
            'position': '',
            'top': '',
          });
        } else if (scroH > tocLimMax) {
          toc.css('display', 'none');
        }
      });
      tocbot.init({
        tocSelector: '#tocbot',
        contentSelector: '.post-content',
        headingSelector: 'h1,h2,h3,h4,h5,h6',
        linkClass: 'tocbot-link',
        activeLinkClass: 'tocbot-active-link',
        listClass: 'tocbot-list',
        isCollapsedClass: 'tocbot-is-collapsed',
        collapsibleClass: 'tocbot-is-collapsible',
        scrollSmooth: true,
      });
      if ($('.toc-list-item').length > 0) {
        $('#toc > p').css('visibility', 'visible');
      }
    });
  </script>







  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>


<!-- Plugins -->



  <script src="https://cdn.staticfile.org/prettify/188.0.0/prettify.min.js" ></script>
  <script>
    $(document).ready(function () {
      $('pre').addClass('prettyprint  linenums');
      prettyPrint();
    })
  </script>





  <script src="https://cdn.staticfile.org/anchor-js/4.2.2/anchor.min.js" ></script>
  <script>
    anchors.options = {
      placement: "right",
      visible: "hover",
      
    };
    var el = "h1,h2,h3,h4,h5,h6".split(",");
    var res = [];
    for (item of el) {
      res.push(".markdown-body > " + item)
    }
    anchors.add(res.join(", "))
  </script>



  <script src="/js/local-search.js" ></script>
  <script>
    var path = "/local-search.xml";
    var inputArea = document.querySelector("#local-search-input");
    inputArea.onclick = function () {
      getSearchFile(path);
      this.onclick = null
    }
  </script>



  <script src="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.js" ></script>
  <script>
    $("#post img:not(.no-zoom img, img[no-zoom])").each(
      function () {
        var element = document.createElement("a");
        $(element).attr("data-fancybox", "images");
        $(element).attr("href", $(this).attr("src"));
        $(this).wrap(element);
      }
    );
  </script>












</body>
</html>
